TrueConf Server supports password-free authentication with the help of single sign-on technology and the Kerberos protocol. This feature will be available if the integration with a directory service is configured via LDAP. Read this article to take a look at some examples.
The overall guideline for setting up Kerberos SSO includes the following steps:
- Add SPN (more details below).
- Generate a keytab file.
- Apply settings on the server side.
In the context of Kerberos SSO, it is important to understand the meaning of Service Principal Name (SPN). What is it? SPN is the unique identifier of a service instance. In our case TrueConf Server acts as such a service for the domain controller. SPN consists of several parts:
|
1 |
protocol/server.name@DOMAIN |
The public server name specified during registration should be used as service.name.
Example:
|
1 |
trueconf/video.example.com@EXAMPLE.COM |
The examples described in this article will be based on the use of the command line. However, you can also use GUI.
Table of Contents
Active Directory
In Active Directory (AD) the service principal name (SPN) is linked either to the computer account or user account. We urge you not to link the SPN to the machine where TrueConf Server is deployed because it may have an adverse effect on its work in the domain. To ensure correct work, you will need to create a separate account with certain parameters:
- Password change is prohibited
- Password lifetime is not restricted.
This precaution is very important because otherwise it will be necessary to generate new keytab files linked to the user if the password is either changed or expires.
To configure Kerberos SSO, take these steps:
- Run PowerShell as the administrator and import the module for working with the AD service:
1Import-Module ActiveDirectory - Assign required values to the following variables:
1234$Username = "kb_user" # Username$Password = "UserPassword!"# User password$DisplayName = "KB_USER" # User display name$Path = "OU=Users,DC=yourdomain,DC=loc" # Path to the organizational unit where the user will be created. - Run this command to create a new service user based on the specified variables:
1New-ADUser -Name $DisplayName -SamAccountName $Username -Path $Path -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -PasswordNeverExpires $true -CannotChangePassword $true - Add an SPN and link it to the created user:
1setspn -U -S trueconf/server.name@yourdomain.loc $Username - Generate a keytab file:
1ktpass -princ trueconf/server.name@YOURDOMAIN.LOC -mapuser $Username -crypto ALL -ptype KRB5_NT_PRINCIPAL -pass $Password -target yourdomain.loc -out С:\yourdomain.keytab
Then, go to the TrueConf control panel and configure Kerberos SSO as it is described in the documentation.
FreeIPA
In FreeIPA SPN is linked to the current server instance, in other words, to the existing A record of the DNS server. So, if the TrueConf Server instance has not been added, it is the right time to do it. To configure SSO via Kerberos:
- Open the terminal and get a ticket (kerberos-ticket) with this command:
1kinit admin # username of the domain administrator - Assign required values to the following variables (without spaces):
123IP_ADDRESS=10.10.10.10 # service IP address (TrueConf Server instance)TRUECONF=video.example.net # Full domain name of the serverFREEIPA=freeipa.example.lan # Full domain name of the domain controller - Add the TrueConf Server instance with the specified variables by running the command:
1sudo ipa host-add --force --ip-address=$IP_ADDRESS $TRUECONF - Add the SPN service:
1sudo ipa service-add trueconf/$TRUECONF - To generate a keytab file, run the command:
1sudo ipa-getkeytab -s $FREEIPA -p trueconf/$TRUECONF -k trueconf.keytab
Then go to the TrueConf Server control panel and configure Kerberos SSO as it is described in the documentation.
